"I absolutely expect banks, other companies and ISPs to take advantage of it," Griffiths says. "It takes time and planning, and I would expect it to roll out slowly. ... We've proven that DNSSEC can be rolled out at scale, and we hope people will follow our lead."
One barrier to DNSSEC deployment is that it is extremely difficult for content delivery networks (CDNs) to sign data dynamically as is required by the standard. That's why popular CDNs such as Akamai and Limelight haven't fully deployed DNSSEC yet.
Consider the case of Akamai, which carries between 15 percent and 30 percent of all Web traffic and supports 20 top global e-commerce sites, 30 top media companies and 8 of the top 10 U.S. banks. Akamai offers DNSSEC support on its Enhanced DNS Service, but it has been working for several years to figure out how to support the emerging security standard on its core content delivery service.
"For our DNS mapping service, we have end users coming from all over the world to 150,000 servers. That's a pretty sizeable and interesting DNS file," explains Andy Ellis, chief security officer of Akamai. "The way that DNSSEC was written was that DNS was a static file. Most organizations have a small zone file that doesn't change more than once a month. ... The DNS file that we use has roughly 3.2 billion [resource records] to give out and sign, and we change them every 20 seconds. ... For us, we're getting into really gross numbers, and we're working on ways to improve that."
Ellis concedes that "DNSSEC is important to do" but says that few of Akamai's corporate clients are asking for it or are interested in verifying their DNS traffic at this point in time. "What we see catching a lot more steam is the migration to [Secure Sockets Layer], which is still not perfect but it is a significant step in improving security," Ellis says.
The only segment of Akamai customers asking for DNSSEC is federal agencies, Ellis says.
"The e-commerce sites don't care much because they have a huge [worry] about denial-of-service attacks," Ellis says. "Financial services firms are very concerned about failure. They are very concerned about a bad client deployment of DNSSEC that would cause them to go dark. So they are putting in enhanced validation with SSL."
Ellis says U.S. companies responded to the disclosure of the Kaminsky flaw by patching their DNS software with easy workarounds rather than taking the time to deploy DNSSEC, which is a more complete but also a more complex solution.
"I don't think the Kaminsky flaw is that big of an issue right now," Ellis says. "DNSSEC doesn't solve the problems that are very real to [U.S. companies] ... like rolling denial of service attacks and phishing-based fraud. That's where we see a lot more of their time and energy being spent."
Read more about LAN and WAN in Network World's LAN & WAN section.